[Date Prev][Date Next]
Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't understand descriptions
Samuel Tran wrote:
>> You can use the objectClass in general, just by loading the schema file.
>> But the code patch that changes the behavior of the pwdAttribute
>> attributeType resides in the ppolicy overlay. If you don't use the
>> overlay, the patch does not take effect. It wasn't clear to me that it
>> was a good idea to change the objectIdentifier syntax behavior for all
>> of slapd, so the patch is specific to the pwdAttribute attributeType. It
>> may be a topic for discussion on -devel, whether a global change is more
> I saw the new functions you added in your patch.
> IMHO the EQUALITY objectIdentifierMatch should be satisfied regardless
> of whether the ppolicy is specified or not.
> In core.schema there is that attribute 'supportedApplicationContext'
> that uses the same equality constraint. I haven't used it. Does it mean
> that it won't understand description?
The larger issue here is that OIDs are not maintained in a single table
in slapd. OIDs for AttributeTypes are recorded separately from OIDs for
ObjectClasses, Syntaxes, Matching Rules, or any other protocol elements
that have OIDs. While there is conceptually a single OID namespace, it
is not implemented as a single namespace inside slapd. So a generic OID
validator that accepts descriptors would need to look in many tables to
validate a name.
The other issue is that descriptors aren't guaranteed to be unique.
E.g., it's possible to have both an AttributeType and an ObjectClass
with the same name. X.500/ASN.1 doesn't care about descriptor clashes as
long as OIDs are unique, but this is a problem for LDAP.
The ppolicy patch works because I know that pwdAttribute will only be
used with OIDs of AttributeTypes. In the general case, we can't make any
such assumptions, and just searching for the first matching descriptor
in a variety of tables may yield the wrong numeric OID. For your example
'supportedApplicationContext' slapd doesn't have any notion of the
namespace in which ApplicationContext descriptors are registered, so in
that case the lookup would be futile anyway.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/